A friend of mine (actually, a co-worker) want to play a little game with me: we both want to set up a web server at home and try to hack each other. Since we are both web app developers, we think it would be a good exercise for us to learn both the defense and the attack of such servers.

We will install a VPN so we can do our stuff without alerting/disturbing anyone else. However, we plan to secure our servers as much as we can so having them face the internet (instead of using a VPN) wouldn't be a big worry for us.

Finally, we will give each other written permissions before we start doing anything.

My question is: If we wouldn't use a VPN and our server would be serving web pages on the internet, could our scans, brute force attacks, etc disturb other people?

Here I think more of our respective ISP (and possibly others?). What could we do to mitigate the risk of getting into troubles instead of using the VPN? Maybe it doesn't make any difference?

I want to add that I will use a VPN regardless of the answers and we both have no malicious intention whatsoever. We want to compete, that's all!!

this seems like a fun game! good luck and you better win, cause i will be cheering for you

if you direct your scans/attacks directly at the system of your friend, you dont have to worry about disturbing other people. this happens all the time on the internet by other people. think of automated zombies scanning for other victims, black hats scanning full domains for vulnerable systems, script kiddies who dont know what there doing, and dont forget windows machines that generate wierd traffic just for no reason at all. This blends in with what is called "internet static" that doesnt disturb anyone and is just "there".

if you just focus on the machine at hand, and not anything ISP related (like DNS poisoning), you will be fine...

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

My only note would be that IF you bypass the VPN route, I wouldn't be doing your port scanning, etc, on the open network. When done over VPN, it's all tunneled across the single port / connection of the VPN, whereas, if you port scan, openly, on your internet connection, many ISP's will disconnect you, and possibly terminate your service. I know my home ISP has strict policies, forbidding port scanning, etc, and WILL close out my service if I perform those activities from home. (Thus, the VPN to keep it looking "legit", when I test things from home.)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

hayabusa wrote:if you port scan, openly, on your internet connection, many ISP's will disconnect you, and possibly terminate your service. I know my home ISP has strict policies, forbidding port scanning, etc, and WILL close out my service if I perform those activities from home.

My ISP acts a little different. If I run NMAP against my work's firewall (usually after I make big changes to it), AT&T move the box out from behind the firewall, and leaves it wide open to everything. I've only had the one box, so I don't know if they do it to the whole network. I do know that the TV, DVR and surfing the web don't work right when they do it.

Their status message says there is a firewall behind their firewall. Please fix or set up a dmz.

H1t M0nk3y wrote:Is Hayabusa the only one warned or blocked by their ISP?

I was going to warn you against this as well. Some ISPs prohibit this completely while others will sell you a premium service where those types of activities are acceptable. I'd definitely check with your ISP before doing anything.

i have done a couple of pentests from my home, and havent got into any trouble with my ISP. so it depends on the ISP. i'm sure there is an answer to this in the FAQ of your current ISP. i know mine is too busy capping newsgroup bandwith from the leechers so they are forgetting about us

CISSP, CEH, ECSA, OSCP, OSWP, eCPPT, eWAPT

earning my stripes appears to be a road i must travel alone...with a little help of EH.net

My ISP is apparently too busy to block anything. I haven't heard a single instance of them blocking someone or some scan because it looked malicious. Neither have I seen any mention of blocking malicious scans in their policy and FAQ. So I guess I'm free to do whatever pleases me.

Last edited by Xen on Sat May 15, 2010 11:19 pm, edited 1 time in total.

@chrisj: I was thinking of using SSL certificates at both ends of the VPN connection for dual authentication. This way, I will know who is connected. But this only work amongst friends. A nickname in a forum isn't really a person you can trust...

Also, the goal is to have a very secure box. So even if it were wide open to the internet, it wouldn't be to bad (at least, for this box). But you are right, a VPN ending in a DMZ would be better.